Anomali Cyber Watch: Notepad++ Attack, RAT Uses Hugging Face, Microsoft Office Flaw and more

<div id="weekly"> <div id="trending-threats" class="trending-threats-article"> <h2 id="article-1"><a href="https://securelist.com/notepad-supply-chain-attack/118708/" target="_blank" rel="noopener noreferrer">Notepad++ Supply Chain Attack Delivers Chrysalis Backdoor</a></h2> <p>(published: February 3, 2026)</p> <p> Researchers have uncovered a sophisticated supply chain attack attributed with moderate confidence to the China-linked Lotus Blossom APT group targeting Notepad++ users from June through December 2025. Attackers compromised the infrastructure of Notepad++'s shared hosting provider, exploiting insufficient update verification controls (CVE-2025-15556) to allow selective interception and redirection of update traffic to attacker-controlled servers delivering malicious payloads. The hosting server was directly compromised until September 2, 2025, when scheduled maintenance updated the kernel and firmware, but attackers retained stolen credentials to internal services enabling continued traffic manipulation until December 2, 2025. Researchers identified three distinct infection chains deployed from July through October 2025, targeting approximately a dozen machines belonging to individuals in Vietnam, El Salvador, and Australia, along with government organizations in the Philippines, financial institutions in El Salvador, and IT service providers in Vietnam. All malicious updates were packaged as NSIS installers executed by the legitimate GUP.exe updater, with attackers constantly rotating command and control server addresses, downloaders, and final payloads throughout the campaign. Chain one exploited a legacy ProShow software vulnerability to deliver Metasploit loaders fetching Cobalt Strike Beacons, chain two utilized Lua interpreter components executing shellcode from configuration files, and chain three employed DLL sideloading via renamed legitimate Bitdefender executables to deploy the previously undocumented Chrysalis backdoor featuring sixteen command capabilities including interactive shell access, file transfer, and complete self-removal. Notepad++ has since migrated to a new hosting provider and released version 8.8.9 implementing certificate and signature verification for downloaded installers, with mandatory XML signature validation expected in version 8.9.2.<br> <br><b>Analyst Comment:</b> This incident underscores the continued effectiveness of supply chain attacks in bypassing traditional security controls. The highly selective targeting affected fewer than two dozen machines globally, suggesting Lotus Blossom conducted detailed reconnaissance and employed traffic filtering to avoid detection through mass compromise. Organizations should verify Notepad++ deployments are running version 8.8.9 or newer and review published IoCs to identify potential compromise. The attackers' operational sophistication is evident in their monthly rotation of infrastructure and infection chains, combined with their ability to maintain persistence through credential theft after losing direct server access. The six-month window between initial server compromise and final credential rotation highlights the extended exposure timelines possible in hosting provider breaches. The abuse of legitimate binaries including Bitdefender executables and Lua interpreters for malicious payload delivery demonstrates how attackers leverage trusted tooling to evade signature-based detection mechanisms. Defenders should inventory applications using custom update mechanisms rather than centralized update servers, particularly developer tools that may operate with elevated privileges or access sensitive systems.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9611">T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain</a> | <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/10029">T1059.003 - Command and Scripting Interpreter: Windows Command Shell</a> | <a href="https://ui.threatstream.com/attackpattern/9834">T1106 - Native Api</a> | <a href="https://ui.threatstream.com/attackpattern/39613">T1059.011 - Command and Scripting Interpreter: Lua</a> | <a href="https://ui.threatstream.com/attackpattern/9860">T1543.003 - Create or Modify System Process: Windows Service</a> | <a href="https://ui.threatstream.com/attackpattern/9933">T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/10104">T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/18584">T1027.007 - Obfuscated Files or Information: Dynamic Api Resolution</a> | <a href="https://ui.threatstream.com/attackpattern/9838">T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9597">T1036 - Masquerading</a> | <a href="https://ui.threatstream.com/attackpattern/12881">T1620 - Reflective Code Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9814">T1055 - Process Injection</a> | <a href="https://ui.threatstream.com/attackpattern/39627">T1480.002 - Execution Guardrails: Mutual Exclusion</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9631">T1033 - System Owner/User Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9710">T1057 - Process Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9957">T1049 - System Network Connections Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9863">T1083 - File And Directory Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9986">T1518.001 - Software Discovery: Security Software Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9802">T1005 - Data From Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9716">T1573 - Encrypted Channel</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a> | <a href="https://ui.threatstream.com/attackpattern/30607">T1567.003 - Exfiltration Over Web Service: Exfiltration to Text Storage Sites</a><br> </p> <h2 id="article-1"><a href="https://www.infosecurity-magazine.com/news/android-rat-hugging-face-host/" target="_blank" rel="noopener noreferrer">Android RAT Uses Hugging Face Platform to Host Malicious Payloads</a></h2> <p>(published: February 2, 2026)</p> <p> An Android remote access trojan (RAT) campaign uses Hugging Face repositories to host malicious payloads, exploiting the legitimate AI platform's trusted status to evade detection. The infection chain begins when users download TrustBastion, a dropper masquerading as a security app that claims to detect scams, phishing, and malware. The app forces popups warning that the device is infected, prompting installation of the fake security solution. Once installed, TrustBastion immediately requests an update using dialogs designed to mimic legitimate Google Play and Android system interfaces. The dropper contacts an encrypted endpoint at trustbastion[.]com, which returns an HTML file containing a redirect link to a Hugging Face repository hosting the actual RAT payload. This multi-step delivery mechanism allows malicious traffic to appear legitimate, as Hugging Face is a widely used platform for hosting AI models and datasets. The campaign used server-side polymorphism, generating new payloads approximately every 15 minutes to evade hash-based detection. The repository accumulated over 6,000 commits across 29 days before takedown. The payload masquerades as a Phone Security feature and abuses Accessibility Services to enable screen recording, screen casting, and overlay display. The RAT impersonates Alipay and WeChat to harvest credentials and maintains persistent communication with a command-and-control server. Following takedown in late December 2025, the operation migrated to a new repository hosting Premium Club, which uses identical underlying code.<br> <br><b>Analyst Comment:</b> This campaign demonstrates how threat actors bypass mobile security controls by abusing trusted platforms and the sideloading attack vector. Google confirmed TrustBastion was distributed outside the Play Store via malicious advertisements, placing it beyond standard Play Store protections. Organizations managing mobile devices should enforce policies that restrict sideloading and implement mobile threat defense solutions capable of behavioral analysis, as the automated payload generation every 15 minutes defeats signature-based detection. The abuse of Accessibility Services is particularly concerning, as this permission grants comprehensive device control including credential capture from legitimate applications. Organizations should configure mobile device management to alert on or block Accessibility Services requests from non-system apps. For individual users, the key defense is avoiding manual APK installations regardless of how urgent or legitimate the prompting appears, particularly from security warnings or popups claiming device infection<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/39614">T1027.014 - Obfuscated Files or Information: Polymorphic Code</a> | <a href="https://ui.threatstream.com/attackpattern/10107">T1608.001 - Stage Capabilities: Upload Malware</a> | <a href="https://ui.threatstream.com/attackpattern/9714">T1071 - Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9674">T1056.002 - Input Capture: Gui Input Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9671">T1113 - Screen Capture</a><br> </p> <h2 id="article-1"><a href="https://www.helpnetsecurity.com/2026/02/03/russian-hackers-are-exploiting-recently-patched-microsoft-office-vulnerability-cve-2026-21509/" target="_blank" rel="noopener noreferrer">Fancy Bear Exploits Microsoft Office Flaw in Ukraine </a></h2> <p>(published: February 3, 2026)</p> <p> APT28 (Fancy Bear) weaponized CVE-2026-21509, a Microsoft Office vulnerability with a CVSS score of 7.8, within days of its disclosure. Microsoft patched the flaw on January 26, 2026, after detecting active exploitation. CERT-UA identified malicious documents exploiting the vulnerability on January 29, with one file created just one day after Microsoft's patch release. The vulnerability affects Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise, allowing attackers to bypass security protections that block malicious embedded objects. APT28 targeted Ukrainian government agencies and organizations across Slovakia and Romania using weaponized RTF documents delivered via phishing emails. Researchers identified two distinct attack chains. The first deploys MiniDoor, which installs malicious code into Microsoft Outlook to steal emails from user mailboxes and forward them to attacker-controlled addresses. The second chain uses PixyNetLoader, a previously undocumented loader that establishes persistence through COM hijacking and deploys the Covenant Grunt backdoor. Both chains abuse the legitimate Filen cloud storage service for command and control communications. The attacks demonstrate APT28's rapid exploitation of newly disclosed vulnerabilities, with infrastructure registered and used on the same day in some cases.<br> <br><b>Analyst Comment:</b> CVE-2026-21509 is an allowlist gap rather than a sophisticated bypass mechanism. Microsoft Office has blocked dangerous OLE browser objects like Shell.Explorer and Shell.Explorer.2 for years, but Shell.Explorer.1 was never added to the blocklist. When weaponized RTF documents are opened, Office instantiates this COM object as if it were legitimate, allowing the embedded browser component to navigate to remote resources and fetch LNK files that initiate the malware delivery chain. This technique has been publicly documented since 2018 yet remained unpatched until active exploitation forced an emergency response. APT28's ability to deploy working exploits within one to three days of disclosure suggests either prior zero-day knowledge or rapid weaponization capabilities built on established research. Organizations should prioritize patching Office 2016 and 2019 installations, which require manual updates, while Office 2021 and later versions receive automatic protection after application restarts. For environments unable to patch immediately, registry-based mitigations that block the Shell.Explorer.1 CLSID are documented in Microsoft's advisory. Standard macro-based detection strategies may prove insufficient, as exploitation requires no macros or user interaction beyond opening the document itself.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001">T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/9752">T1203 - Exploitation For Client Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9834">T1106 - Native Api</a> | <a href="https://ui.threatstream.com/attackpattern/9931">T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9912">T1546.015 - Event Triggered Execution: Component Object Model Hijacking</a> | <a href="https://ui.threatstream.com/attackpattern/9704">T1137.006 - Office Application Startup: Add-Ins</a> | <a href="https://ui.threatstream.com/attackpattern/9838">T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/39627">T1480.002 - Execution Guardrails: Mutual Exclusion</a> | <a href="https://ui.threatstream.com/attackpattern/18584">T1027.007 - Obfuscated Files or Information: Dynamic Api Resolution</a> | <a href="https://ui.threatstream.com/attackpattern/9867">T1027.003 - Obfuscated Files or Information: Steganography</a> | <a href="https://ui.threatstream.com/attackpattern/10000">T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/9668">T1114 - Email Collection</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9723">T1102.002 - Web Service: Bidirectional Communication</a><br> <b>Target Industry:</b> Government / government national<br> <b>Target Region:</b> Europe<br> <b>Target Country:</b> Ukraine<br> <b>Source Country:</b> Russian federation<br> <b>Source Region:</b> Europe<br> </p> <h2 id="article-1"><a href="https://www.theregister.com/2026/02/04/nitrogen_ransomware_broken_decryptor/" target="_blank" rel="noopener noreferrer">Nitrogen Ransomware Decryptor Fails Due to Coding Error </a></h2> <p>(published: February 4, 2026)</p> <p> Nitrogen ransomware targeting VMware ESXi hypervisors contains a programming error that prevents file decryption, rendering encrypted files irrecoverable. The malware stores an encryption key in computer memory, but then accidentally writes over part of that key with zeros, corrupting it. Because the corrupted key was never properly generated, no matching decryption key exists to reverse the encryption. Organizations affected by Nitrogen ESXi encryption without viable backups have no recovery options, as paying the ransom will not yield functional decryption tools. Nitrogen originated from the leaked Conti 2 builder and began activity in 2023, initially developing malware to facilitate initial access through malvertising campaigns that impersonated legitimate IT tools. The group evolved into conducting full extortion operations around September 2024. The bug specifically affects the ESXi variant of Nitrogen's ransomware, not their broader Windows-targeting campaigns.<br> <br><b>Analyst Comment:</b> This case transforms Nitrogen ESXi infections from ransomware into destructive malware, as the coding error makes decryption technically impossible regardless of payment. Organizations running VMware ESXi should verify whether any Nitrogen infections involve the flawed ESXi variant before considering recovery options. While industry guidance generally discourages ransom payment, this scenario represents a definitive case where payment offers no recovery path. The incident underscores that verified offline backups remain the only reliable protection against ransomware, as threat actor competence cannot be assumed even when financial incentives would normally ensure functional decryption. It remains unclear at the time of writing whether Nitrogen has identified and corrected this flaw in subsequent versions.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10080">T1486 - Data Encrypted For Impact</a> | <a href="https://ui.threatstream.com/attackpattern/32041">T1657 - Financial Theft</a><br> </p> <h2 id="article-1"><a href="https://www.theregister.com/2026/02/04/critical_solarwinds_web_help_desk/" target="_blank" rel="noopener noreferrer">Critical SolarWinds Web Help Desk Vulnerability Under Active Exploitation</a></h2> <p>(published: February 4, 2026)</p> <p> Attackers are exploiting CVE-2025-40551, a critical untrusted deserialization vulnerability in SolarWinds Web Help Desk that allows remote, unauthenticated attackers to execute operating system commands on affected systems. The vulnerability carries a CVSS score of 9.8 and was patched in Web Help Desk version 2026.1 on January 28, 2026, along with five other vulnerabilities reported by researchers. Among the six disclosed vulnerabilities, four are rated critical, including CVE-2025-40553 (another deserialization flaw) and CVE-2025-40552 and CVE-2025-40554 (authentication bypasses). The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its Known Exploited Vulnerabilities catalog and directed federal agencies to remediate by Friday, February 6, 2026, an accelerated three-day deadline compared to the typical 14-day requirement. This marks the third time SolarWinds Web Help Desk has appeared in the catalog, following CVE-2024-28987 and CVE-2024-28986 in 2024. Affected versions include Web Help Desk 12.8.8 Hotfix 1 and below. The identity of the attackers and the scope of exploitation remain unknown.<br> <br><b>Analyst Comment:</b> This vulnerability represents the fourth iteration of deserialization issues in Web Help Desk's AjaxProxy functionality since August 2024. Help desk and IT service management platforms may be particularly attractive targets due to their privileged access to organizational systems, asset inventories, user credentials, and authentication infrastructure, potentially making them high-value entry points for attackers seeking broad network access. Organizations should upgrade to version 2026.1 immediately and consider implementing compensating controls such as network segmentation and restricting access to trusted networks only. CISA's accelerated three-day remediation deadline, combined with exploitation occurring within one week of patch release, indicates sophisticated threat actors are actively monitoring this product and can rapidly weaponize new vulnerabilities. Defenders should verify the default client account credentials have been changed or disabled, review logs for indicators of compromise, and maintain heightened vigilance.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012">T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9585">T1059 - Command And Scripting Interpreter</a><br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/new-amaranth-dragon-cyberespionage-group-exploits-winrar-flaw/" target="_blank" rel="noopener noreferrer">Amaranth Dragon Exploits WinRAR Vulnerability in Southeast Asian Espionage Campaigns </a></h2> <p>(published: February 4, 2026)</p> <p> Researchers identified Amaranth Dragon, a previously undocumented threat actor linked to the APT41 ecosystem, conducting espionage operations against government and law enforcement agencies across Southeast Asia since March 2025. The group targets organizations in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines using campaigns timed to local political events. Amaranth Dragon began exploiting CVE-2025-8088, a WinRAR path traversal vulnerability, on August 18, 2025, ten days after disclosure. The flaw allows attackers to place malicious scripts in the Windows Startup folder for persistence. Attacks use Amaranth Loader to deliver encrypted payloads, primarily the Havoc post-exploitation framework, with malicious files hosted on Dropbox and AES keys retrieved from Pastebin account amaranthbernadine. Recent campaigns deployed TGAmaranth RAT, which uses Telegram bots for command and control, supports file operations and screenshot capture, and replaces hooked ntdll.dll to evade endpoint detection and response systems. The group operates Cloudflare-protected command and control infrastructure configured to return HTTP 403 errors to connections from non-targeted IP addresses. Analysis links Amaranth Dragon to APT41 through tool overlaps with DodgeBox, Dustpan, and Dusttrap loaders and UTC+8 operational timing. <br> <br><b>Analyst Comment:</b> Although CVE-2025-8088 was patched in WinRAR version 7.13 in mid-2025, utilities like WinRAR frequently fall outside formal enterprise patch management and asset inventories. These tools are often installed manually or inherited from legacy builds, leaving systems vulnerable even when organizational patching processes function correctly. Amaranth Dragon represents a disciplined China-linked operation demonstrating state-level targeting precision through geo-restricted infrastructure that returns HTTP 403 errors to non-targeted countries, preventing payload delivery outside intended victims and reducing forensic visibility. The group's rapid ten-day weaponization timeline and use of Pastebin account amaranthbernadine for AES key distribution, later migrated to actor-controlled servers for tighter operational control, indicates mature infrastructure management. The operational links to APT41 through shared tooling such as DodgeBox, Dustpan, and Dusttrap suggest resource sharing within China's cyber espionage ecosystem rather than a single monolithic entity. Organizations should audit WinRAR installations across endpoints and update to version 7.13 or later, monitor for password-protected archives from external sources paired with Startup folder modifications, and recognize that third-party utilities require dedicated update tracking separate from operating system and enterprise application patching cycles.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001">T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9752">T1203 - Exploitation For Client Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9933">T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/10104">T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9721">T1102 - Web Service</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9673">T1056 - Input Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a><br> <b>Target Industry:</b> Government , Government / government national , Government / emergency services<br> <b>Target Region:</b> Asia<br> <b>Target Country:</b> Cambodia<br> <b>Source Country:</b> China<br> <b>Source Region:</b> Asia<br> </p> <h2 id="article-1"><a href="https://www.security.com/threat-intelligence/black-basta-ransomware-byovd" target="_blank" rel="noopener noreferrer">Black Basta Ransomware Embeds BYOVD Defense Evasion Component in Payload </a></h2> <p>(published: February 5, 2026)</p> <p> A recent Black Basta attack campaign embedded a bring-your-own-vulnerable-driver (BYOVD) defense evasion component directly within the ransomware payload itself, rather than deploying it as a separate tool. The payload drops and exploits a vulnerable NsecSoft NSecKrnl driver (CVE-2025-68947) to terminate security processes before encryption. The bundled driver allows a local, authenticated attacker to kill processes owned by other users, including SYSTEM and Protected Processes, through crafted Input/Output Control (IOCTL) requests, which are system calls that allow communication with kernel-mode drivers. The ransomware targets specific security products from Sophos, Symantec, Microsoft Defender, CrowdStrike, Cylance, ESET, and Avast, appending the .locked extension to encrypted files. This approach is unusual for modern ransomware operators and had not been previously observed in Black Basta campaigns. Its adoption by Black Basta, developed by the Cardinal group, may indicate a mainstreaming of this tactic. The activity follows months of reduced operations after internal chat logs were leaked in February 2025 and recent law enforcement raids on alleged group members in Ukraine, with the suspected leader placed on Interpol's Most Wanted list.<br> <br><b>Analyst Comment:</b> The bundling of defense evasion capability within the ransomware payload eliminates the temporal gap between driver deployment and encryption, potentially reducing detection opportunities for defenders. Organizations should ensure security controls can detect and block known vulnerable drivers like NSecKrnl at execution, not just at the point of file creation. This tactical evolution by a major ransomware group following months of reduced activity may signal broader adoption of embedded defense evasion across the ransomware ecosystem. Defenders should also consider that traditional staging indicators may be less visible when capabilities are consolidated into single payloads, requiring adjusted detection strategies that account for compressed attack timelines.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10093">T1068 - Exploitation For Privilege Escalation</a> | <a href="https://ui.threatstream.com/attackpattern/10104">T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9762">T1211 - Exploitation For Defense Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/10079">T1562.001 - Impair Defenses: Disable Or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9812">T1219 - Remote Access Software</a> | <a href="https://ui.threatstream.com/attackpattern/10080">T1486 - Data Encrypted For Impact</a><br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2026/02/hackers-exploit-react2shell-to-hijack.html " target="_blank" rel="noopener noreferrer">Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign </a></h2> <p>(published: February 5, 2026)</p> <p> Threat actors exploited React2Shell (CVE-2025-55182, CVSS score 10.0) to inject malicious NGINX configurations that intercept legitimate web traffic and route it through attacker-controlled backend servers. The campaign targets Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure using Baota Panel, and government and educational domains (.edu, .gov). Attackers deploy a multi-stage shell script toolkit that automatically identifies NGINX installations, injects malicious location directives using the proxy_pass command, and redirects traffic to three attacker-controlled domains: xzz.pier46[.]com, ide.hashbank8[.]com, and th.cogicpt[.]org. The malicious configurations preserve original request headers and user context, making the hijacking difficult to detect while allowing attackers to intercept sensitive data or manipulate content. The toolkit includes mechanisms to avoid service disruption by validating configurations before reload and generates reports of compromised domains that are exfiltrated to 158.94.210[.]227. Two IP addresses account for 56 percent of observed React2Shell exploitation attempts, with 1,083 unique source IPs active between January 26 and February 2, 2026.<br> <br><b>Analyst Comment:</b> Patching React2Shell closes the entry point but does not remediate malicious configurations already injected into compromised systems. Organizations should audit NGINX configuration files even if React2Shell has been patched, specifically searching for the three attacker domains in proxy_pass directives and checking for suspicious files in /etc/nginx/, /tmp/, and the persistence file /tmp/.domain_group_map.conf. The traffic hijacking is designed to be silent because it abuses legitimate NGINX proxy functionality rather than deploying traditional malware, making detection challenging as modified configurations may appear normal at first glance. Defenders should implement configuration file integrity monitoring and establish baselines for legitimate NGINX configurations, as detection requires identifying when normal infrastructure has been reconfigured maliciously rather than searching for malicious files.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012">T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9809">T1059.004 - Command and Scripting Interpreter: Unix Shell</a> | <a href="https://ui.threatstream.com/attackpattern/9697">T1505 - Server Software Component</a> | <a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9863">T1083 - File And Directory Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9893">T1090.003 - Proxy: Multi-Hop Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a><br> </p> <h2 id="article-1"><a href="https://www.malwarebytes.com/blog/news/2026/02/open-the-wrong-pdf-and-attackers-gain-remote-access-to-your-pc" target="_blank" rel="noopener noreferrer">DEAD#VAX campaign delivers AsyncRAT through IPFS-hosted VHD files disguised as PDFs </a></h2> <p>(published: February 5, 2026)</p> <p> Attackers behind the DEAD#VAX campaign distribute AsyncRAT through phishing emails linking to virtual hard disk (VHD) files disguised as PDF documents. Emails impersonate business communications such as purchase orders or invoices, often referencing real companies. Download links direct victims to files hosted on InterPlanetary File System (IPFS), a decentralized storage network that complicates takedown efforts and bypasses email gateway controls. The VHD files display PDF icons and filenames but automatically mount as drives when opened, bypassing Windows Mark-of-the-Web protections. Inside the mounted drive is a Windows Script File (WSF) that executes three layers of decryption to drop a heavily obfuscated batch file. The batch file performs anti-analysis checks including VMware detection, 3GB minimum RAM validation, and admin privilege verification before extracting encrypted PowerShell code. The PowerShell stage establishes persistence through hidden scheduled tasks and VBS launchers, retrieves encrypted shellcode from disk, and injects AsyncRAT into trusted Microsoft-signed processes (RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, sihost.exe). The malware operates entirely in memory and prevents reinfection by scanning for a specific marker byte sequence. AsyncRAT provides keylogging, screen capture, clipboard monitoring, file system access, remote command execution, and enables follow-on attacks including lateral movement.<br> <br><b>Analyst Comment:</b> This campaign systematically defeats traditional security controls by layering legitimate Windows features rather than relying on novel techniques. VHD containers bypass email filtering and security warnings, while multi-stage script execution leads to fileless malware running inside trusted processes. Organizations relying on signature-based antivirus or traditional file scanning likely lack visibility into this attack chain, as the payload never appears on disk in recognizable form and executes within processes that normally operate in the background. The anti-analysis checks may also evade automated sandbox environments. Effective defense requires behavioral monitoring capabilities that can detect process injection activity, PowerShell Script Block Logging to capture runtime script execution, and memory analysis to identify malicious code operating within legitimate processes. Organizations should enable file extension visibility across endpoints to help users identify VHD and WSF files disguised as documents, and consider blocking these file types at email gateways unless required for business operations. The presence of reinfection prevention mechanisms suggests a disciplined adversary focused on maintaining stable, long-term access rather than aggressive or noisy operations. <br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001">T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/10028">T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/9828">T1059.001 - Command and Scripting Interpreter: Powershell</a> | <a href="https://ui.threatstream.com/attackpattern/10029">T1059.003 - Command and Scripting Interpreter: Windows Command Shell</a> | <a href="https://ui.threatstream.com/attackpattern/9853">T1059.005 - Command and Scripting Interpreter: Visual Basic</a> | <a href="https://ui.threatstream.com/attackpattern/10112">T1059.007 - Command and Scripting Interpreter: Javascript</a> | <a href="https://ui.threatstream.com/attackpattern/9931">T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9592">T1027.002 - Obfuscated Files or Information: Software Packing</a> | <a href="https://ui.threatstream.com/attackpattern/9914">T1055.001 - Process Injection: Dynamic-Link Library Injection</a> | <a href="https://ui.threatstream.com/attackpattern/9838">T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9932">T1218.005 - Signed Binary Proxy Execution: Mshta</a> | <a href="https://ui.threatstream.com/attackpattern/10089">T1497.001 - Virtualization/Sandbox Evasion: System Checks</a> | <a href="https://ui.threatstream.com/attackpattern/9888">T1056.001 - Input Capture: Keylogging</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9716">T1573 - Encrypted Channel</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a> | <a href="https://ui.threatstream.com/attackpattern/9607">T1565.001 - Data Manipulation: Stored Data Manipulation</a><br> </p> <h2 id="article-1"><a href="https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/" target="_blank" rel="noopener noreferrer">Shadow Campaigns Target Government Entities Across 37 Countries </a></h2> <p>(published: February 5, 2026)</p> <p> Researchers have identified a new cyberespionage group tracked as TGR-STA-1030 (UNC6619) that compromised government and critical infrastructure organizations across 37 countries over the past year and conducted reconnaissance against 155 countries between November and December 2025. The group is assessed with high confidence to be state-aligned and operating out of Asia based on use of regional tooling, language settings, targeting alignment with regional intelligence interests, and operational timing consistent with GMT+8. Targets include five national-level law enforcement or border control entities, three ministries of finance, and departments aligned with economic, trade, natural resources, and diplomatic functions. The group delivers malware through phishing campaigns using ministry reorganization lures with links to archives hosted on mega[.]nz, deploying an executable named DiaoYu.exe that performs environmental checks before installing Cobalt Strike payloads. Additional access methods include exploitation of N-day vulnerabilities in SAP, Microsoft Exchange, D-Link, and Atlassian Crowd (CVE-2019-11580). Post-compromise activity involves deployment of command and control frameworks including VShell and Cobalt Strike, web shells such as Behinder and Godzilla, and a custom Linux kernel rootkit named ShadowGuard that provides process hiding and file concealment capabilities at the kernel level.<br> <br><b>Analyst Comment:</b> The scale of this campaign is exceptional, with the group demonstrating both strategic focus and operational persistence across government sectors globally. Victimology analysis suggests the group prioritizes intelligence collection related to economic partnerships, rare earth minerals, trade agreements, and diplomatic relations rather than opportunistic targeting. While government entities and critical infrastructure remain primary targets, the group has already compromised private sector organizations in strategic sectors including mining, energy, finance, and aviation when they hold intelligence value. The group's reliance on N-day exploitation and relatively common post-compromise tools means their technical capabilities could easily extend to additional private sector targets if intelligence priorities shift. Organizations in strategic industries should prioritize patching known vulnerabilities, particularly CVE-2019-11580 and the listed Microsoft Exchange and SAP flaws, and monitor for phishing campaigns using government reorganization themes with mega[.]nz distribution links. The ShadowGuard rootkit represents advanced capability, though its deployment appears limited at this time.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10028">T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/10012">T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9614">T1204.001 - User Execution: Malicious Link</a> | <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9869">T1505.003 - Server Software Component: Web Shell</a> | <a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9838">T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/10089">T1497.001 - Virtualization/Sandbox Evasion: System Checks</a> | <a href="https://ui.threatstream.com/attackpattern/9986">T1518.001 - Software Discovery: Security Software Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9776">T1564 - Hide Artifacts</a> | <a href="https://ui.threatstream.com/attackpattern/9777">T1564.001 - Hide Artifacts: Hidden Files And Directories</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9893">T1090.003 - Proxy: Multi-Hop Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9733">T1572 - Protocol Tunneling</a> | <a href="https://ui.threatstream.com/attackpattern/10007">T1046 - Network Service Scanning</a> | <a href="https://ui.threatstream.com/attackpattern/9656">T1021.004 - Remote Services: Ssh</a> | <a href="https://ui.threatstream.com/attackpattern/9605">T1021.001 - Remote Services: Remote Desktop Protocol</a><br> </p> </div> </div>